I'm using Windows Live One Care, Every time it shows pop-up that Live "One Care has blocked qwerty12",

after getting this pop-up, I just Searched for file with name qwerty12 n found two file in my system one in "windows\system32\qwerty12.exe" & second in "WINDOWS\Prefetch\QWERTY12.EXE-29BA6945.pf". Then I tried to delete that files but got one error because service for qwerty12 was running in background which cant be stopped, n finally I deleted after booting in safe mode but it didn't helped me as it reappear after rebooting my system.

Even "HijackThis" didn't helped me n then I used HijackRemote(www.hijackremote.com) to solve my problem...Still waiting for there Response.

Please help me to permanently remove qwerty12 from my PC?Level of Risk?

Hi,There are lots of ways a process can be restarted following a reboot. I'd check those locations for your suspect file. The Microsoft utility autoruns (formerly from sysinternals) will show you most of these locations..

Thanku very much for such a good tool, I found one service with name "Domain Service" running in backgrount with Image path as "windows\system32\qwerty12.exe" n unchecked it, but Qwerty12.exe is still running, I'm not able to determine its exact autorun service,

I tried Trend-Micro,Live oneCare, and spyware doctor but non of them helped me to fix this problem.

Pls tell me if thr is any Spyware tool that can help me by automatically detacting its services..

Last edited by real.whitehat on Thu Jul 26, 2007 4:11 pm, edited 1 time in total.

Hi,I suggest you read the usage information on the website to learn how to use autoruns. Then look for any suspect processes being started at boot time. Check out the registry and services first of all and also check for browser helper object (BHO).

It would be safest to wipe your system, reinstall the OS and restore your data from a know good backup. Otherwise you're not going to be sure that you've removed all traces of the malware.

I tried everything u mentioned even deleted some suspicious file but nothing helped me. Here I'm posting a Log from TrendMicro Hijackthis, pls hav a look n tell me if u find any suspicious file that is running in background, However "Qwerty12.exe" is not thr in log because I Fixed it using hijackthis but it is not going to help me, it will reappear when I reboot my system...

Here in this LOG I highlited/Comment on some of the running services with bold+Italic, pls tell me what is it for?

Just few days back one new problem started in my PC, I'm able to open My Computer/Explorer but not able to explore in drive or folder, everytime i double click on any drive/folder my screen go's blank n re-appear after a second with clean desktop without any opened folder.

First I thought that thr is problem with explorer.exe n to confrm this I endd current explorer.exe from Task manager n then started new services for explorer.exe from c:\windows\explorer.exe(another XP installed in C drive).

Been doing some research and some people have removed the qwerty12.exe using VundoFix.

What this program does:

The Vundo family of Trojans is one of the most common infections we find on user’s PC’s. The infection can cause popups which usually advertise rogue antispyware programs. Some common rogue antispyware programs that are advertised are WinFixer, SysProtect and winantispyware for example. Users are normally targeted by false positives, and warning of infection – an example of this could be popups alerting users they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. Thankfully, the infection is relatively easy to remove, and a specialised tool has been created to remove the vundo trojan from infected computers. The following guide will explain how to use the tool, and hopefully rid your system of this malware.

At your own risk, follow this instruction on how to use this application:

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it. * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click theScan for Vundo button." when VundoFix appears at reboot.

After you're done run the HijackThis scan and post the log here. I saw a couple of interesting things in your previous log. However, lets do this one step of a time and first use the VundoFix to see if it removes the qwerty12.exe app.

Name: DomainServiceFilename: qwerty12.exeFix qwerty12.exe errors: Try a Registry ScanCommand: qwerty12.exeDescription: Identified as a variant of the Trojan.Win32.Agent.aoy Trojan.File Location: %System%Startup Type: This startup entry is installed as a Windows NT, 2000, 2003, or XP service.Service Name: DomainServiceService Display Name: DomainServiceHijackThis Category: O23 EntryNote: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.Removal Instructions: How to remove a Trojan, Virus, Worm, or other Malware

Since this is a trojan variant, I definitely recommend what jimbob earlier suggested:

It would be safest to wipe your system, reinstall the OS and restore your data from a know good backup. Otherwise you're not going to be sure that you've removed all traces of the malware.

But if you still want to remove this malware, read the following instruction and see if this helps: